Update doc about analyzing JSP and Thymeleaf views (#2905)

SonarSource · Apr 7, 2020 · 11cd5a5 · 11cd5a5
1 parent df7bb0a
commit 11cd5a5
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/sonar-java-plugin/src/main/resources/static/documentation.md b/sonar-java-plugin/src/main/resources/static/documentation.md
@@ -56,6 +56,27 @@ Example: `sonar.java.source=1.6`
 
 If the property is provided, the analysis will take the source version into account, and execute related rules accordingly. At run time, each of these rules will be executed – or not – depending of the Java version used by sources within the project. For instance, on a correctly configured project built with Java 6, rules targeting Java 7 and Java 8 will never raise issues, even though they are enabled in the associated rule profile.
 
+## Analysing JSP and Thymeleaf for XSS vulnerabilities
+
+In SonarQube Developer and Enterprise editions and on SonarCloud you can benefit from advanced security rules including XSS vulnerability detection. Java analyzer supports analysis of Thymeleaf and JSP views when used with Java Servlets or Spring. To benefit from this analysis you need to make your views part of the project sources using `sonar.sources` property. In practice this usually means adding the following in your Maven `pom.xml` file
+
+```xml
+     <properties>
+        <sonar.sources>src/main/java,src/main/webapp</sonar.sources>
+      </properties>
+```
+
+or if you use Gradle
+```groovy
+    sonarqube {
+    	properties {
+    		property "sonar.sources", "src/main/java,src/main/webapp"
+    	}
+    }
+```
+
+where `src/main/webapp` is the directory which contains `.jsp` or Thymeleaf's `.html` files. 
+
 ## Related Pages
 
 * [Test Coverage & Execution](/analysis/coverage/) (JaCoCo, Surefire)